By now, Data Controller should be aware that under Section 23 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Data Controller is required to notify the Data Subject of the details and purposes of the collection, use, or disclosure of personal data through a Privacy Notice before or at the time of collection. In this regard, the Personal Data Protection Commission “PDPC” has issued a guideline regarding this matter of Privacy Notice and the collection of personal data which the Data Controllers must firstly determine whether there are any specific regulations issued by other regulators governing the same matter before complying with this guideline, respectively. If there are and such regulations do not have lower standard than those of PDPA, the Data Controller must follow those regulations.

Prior to preparation of the Privacy Notice, Data Controller must consider the fairness that Data Subject will receive including considering the consequences after the collection, use and disclosure of personal data and specifying the purpose of such collection in clear and plain language, not deceptive or misleading, plus, the purpose for processing personal data must be obvious, specific and lawful in order for the Data Subject to explicitly understand and aware of, particularly for the section relating the disclosure of personal data to third parties, before giving his or her consent. If there are any cases where other legal basis can be applied to the collection, use or disclosure of personal data, the Data Controller may rely upon those legal basis as well. The guideline also lists down details that should be specified in the Privacy Notice.

Section 25 of PDPA imposes the Data Controller to not collect personal data from other sources apart from Data Subject directly; however, the Data controller may do so if the following exceptions are met.

1. The Data Controller is required to inform the Data Subject of such indirect collection within thirty days of the collection date in order to request consent from the Data Subject and process such personal data for a new purpose to which the Data Subject had never previously consented. In practice, this Data Controller who receives personal data from other sources in some cases does not need to provide details under Section 23 because the Data Controller collecting data from other sources supposes to notify it to the Data Subject in the first place. However, if Data Controller collecting data from other sources did not do so, the current Data Controller must comply with Section 23 notifying the Data Subject within thirty days as previously stated above.
2. The current Data Controller is not required to notify the Data Subject of the Privacy Notice and obtain any consent from the Data Subject again if the Data Subject was aware of the purpose and details of personal data collection.
3. If it is impossible for the current Data Controller to notify the Data Subject, the Data Controller must have an appropriate security system to protect the rights, freedoms and benefits of the Data Subject.

In this regard, the Data Controller shall either make a public announcement and state the necessities of such personal data collection or provide the Data Protection Impact Assessment (DPIA) in order to identify and assess the risk or damage that may result from the use or disclosure of personal data.

Author: Panisa Suwanmatajarn, Managing Partner.